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Patent 

SPECIFICATION 

SYSTEMS AND METHODS FOR THE AUTHENTICATION OF TRANSACTIONS 
INITIATED FROM NON-INTERNET ENABLED DEVICES 

1 . Field of the Inventions 

[001] The field of the invention relates generally to mobile payments and more 

specifically to the authentication of mobile payment transactions initiated from non-internet 
enabled devices. 

2. Background Information 

[002] Mobile telecommunications continues to be very successful, with an estimated 

one billion mobile subscribers by the end of 2002 (Source: The Universal Mobile 
Telecommunications Service (UMTS) Forum. The success of NTT DoCoMo's i-mode 
service in Japan, which currently has 34 million data subscribers, illustrates the appetite for 
compelling mobile data services. In CEMEA the viral uptake of short messaging services 
(SMS) has demonstrated the huge demand for non-voice services in those markets. A joint 
survey by Visa International and Boston Consulting predicts that combined e-commerce and 
m-commerce volumes will grow from $38 billion in 2002 to $128 billion in 2004. 
[003] In the meantime, high speed data networks, with more sophisticated wireless 

devices have the ability to transform mobile payment. Greater bandwidth, larger screens, 
colour displays, longer battery life and compelling content are converging to create an 
environment where consumers can purchase services and products on the move. However, the 
success of both e-commerce and m-commerce is contingent on the same factors that have 
fuelled the growth of physical payments namely security and privacy. Virtual payments, 
whether executed via a personal computer or a mobile phone must be subject to the same 
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common standards that govern physical payment card use in order to be perceived as famiiiar 
and secure. 

[004] In response to this need, the card associations have developed new online 

cardholder authentication standards and have globally mandated that from the 1 st of April 
2003, Acquirers of payment card transactions must offer to their online merchants the new 
standards such as the 3-Domain Secure (3-D Secure™) protocol which has been developed by 
Visa International and licensed to MasterCard. The objectives are to provide Issuers with the 
ability to authenticate cardholders during an online purchase. This will enable all parties in an 
on-line transaction to transmit confidential and correct payment data and provide 
authentication that the buyer is an authorized user of a particular card. 
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SUMMARY OF THE INVENTION 

[005] The 3-D Secure™ protocol specification defines an architecture and protocol 

for authenticating cardholders during Internet-based transactions. After initiating the final 
purchase action, the cardholder is placed into a dialogue with his issuing financial institution. 
The issuer authenticates the cardholder and sends a proof of identity back to the merchant; the 
merchant completes the transaction. 

[006] The 3-D Secure™ protocol was designed for the support of "Internet 

shopping", where the cardholder is shopping using their Internet-enabled device, and the 
authentication takes place over the Internet. However, the purchase and authentication can be 
performed using non-internet enabled devices and certain interactive technologies such as 
Interactive Voice Response (IVR), Short Message Services (SMS), SIM Toolkit (STK), 
Unstructured Supplementary Services Data (USSD) and Wireless Application Protocol 
(WAP) that have more limited capabilities. 

[007] This invention defines systems and methods that enable Issuers, Acquirers and 

Merchants to use the 3-D Secure™ online cardholder authentication protocol to authenticate 

cardholders transacting with non-internet enabled devices. The invention operates as a proxy 

on behalf of the cardholder and simulates a core 3-D Secure™ session to the Merchant Plug- 

♦ 

in (MPI) and Issuer Access Control Server (ACS). That is, it converts voice or data based 
messages received from non-internet enabled devices into a format that is consistent with the 
requirements of the 3-D Secure™ protocol. Further, the invention can be implemented 
without Issuers, Acquirers or Merchants having to upgrade or enhance infrastructure. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

[008] Features, aspects, and embodiments of the inventions are described in 

conjunction with the attached drawings, in which: 

[009] Figure 1 is a diagram illustrating an online cardholder authentication system in 

accordance with an example embodiment of the invention; 

[010] Figure 2 is a diagram illustrating the online cardholder authentication system 

of figure 1 in more detail, configured in accordance with an example embodiment of the 
invention; 



Patent 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

[01 1] To help better understand the systems and methods described herein, a specific 

example involving a transaction initiated from a non-internet enabled device over a wireless 
and wired network is examined below. 

[012] Figure 1 is a diagram illustrating an example embodiment of an online 

cardholder authentication system 100 configured in accordance with one embodiment of the 
systems and methods described herein. System 100 comprises a non-internet enabled device 
101 that is configured to communicate through a wired and/or wireless network 102 with a 
mobile Operator Server 103. System 100 also comprises a Virtual Cardholder System 104, a 
Merchant Plug-in 105, a Card Association Directory Service 106; and an Issuer Access 
Control Server 107; 

[013] Device 101 can be any type of device configured to communicate over a wired 

and/or wireless network, including but not limited to a land-line, mobile phone, personal 
digital assistant or laptop computer. 

[014] Network 102 can be any type of Internet, GSM, CDMA, TDMA, GPRS, 3G, 

Bluetooth, Infrared, RFED wired and/or wireless network, configured to support a range of 
interactive technologies including but not limited to Voice, SMS, STK, USSD, WAP and i- 
mode. 

[015] Accordingly, mobile Operator Server 103, Card Association Directory Service 

106 and Issuer Access Control Server 107 can be any type of server configured to support the 
above, non-internet enabled devices, wireless network protocols and interactive technologies; 
[016] Figure 2 is a flow chart illustrating an example online cardholder 

authentication process according to one embodiment of the system and methods described 
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herein. The process begins in step 201 when a cardholder dials a telephone number and 
submits a purchase request over network 102 to Operator Server 103 using an appropriate 
interactive technology. 

[017] In step 202 Operator Server 103 formats a message and sends it to Virtual 

Cardholder System 104 via a secure channel i.e. SSL, IPSec. The secure channel between 
Operator Server 103 and Virtual Cardholder System 104 is typically but not always a 
dedicated leased line. 

[018] In step 203 Virtual Cardholder System 104 extracts a unique identifier 

associated with non-internet enabled device 101 from the message, matches it with a 
corresponding value stored on a database, extracts the primary account number (PAN), Expiry 
Date and Card Verification Value (CW) if credit, retrieves the Merchant Plug-in URL from 
the message and simulating an Internet browser starts an http/s session with Merchant Plug-in 
105. 

[019] In step 204 Merchant Plug-in 105 formats a message and queries Card 

Association Directory Service 106 on the enrollment status of the PAN. 

[020] In step 205 if the PAN is in participating card range, Card Association 

Directory Service 106 queries the Issuer Access Control Server 107 to determine whether the 
PAN is enrolled. Issuer Access Control Server 107 formats a message and responds to the 
Card Association Directory Service 106 with PAN participation information. 
[021] In step 206 Card Association Directory Service 106 forwards the Issuer Access 

Control Server response to Merchant Plug-in 105. 

[022] In step 207 Merchant Plug-in 105 sends a message to Issuer Access Control 

Server 107 via Virtual Cardholder System 104. 



Patent 

[023] In step 208 Virtual Cardholder System 104 acting on behalf of the cardholder 

simulates an Internet browser and posts the message to Issuer Access Control Server 107. 
Issuer Access Control Server 107 responds by sending an HTML purchase authentication 
page to Virtual Cardholder System 104. 

[024] In step 209 Virtual Cardholder System 104 extracts displayable information, 

stores the HTML page and formats a message which it sends to Operator Server 103. 
[025] In step 210 Operator Server 103 translates the message to a format that device 

101 understands and requests that the cardholder enter his credentials. 

[026] In step 211 the cardholder enters his credentials using the appropriate 

interactive technology and sends it to Operator Server 1 03 . 

[027] In step 212 operator system 103 converts the message to a format that Virtual 

Cardholder System 104 understands and sends a message containing the cardholder 
credentials to Virtual Cardholder System 104. 

[028] In step 213 Virtual Cardholder System 104 acting on behalf of the cardholder 

extracts the cardholder credentials from the message; parses the stored HTML page 
recognizing the cardholder credentials field; inserts the cardholder credentials in the 
appropriate field and posts the HTML purchase authentication page to the Issuer server 107. 
Issuer Access Control Server 107 accepts the cardholder credentials; authenticates it against 
the account holder database and responds to virtual access control server 107 with an 
authentication response message. 

[029] In step 214 Virtual Cardholder System 104 simulating an Internet browser 

forwards the authentication response message to Merchant Plug-in 105. 
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[030] In step 215 Merchant Plug-in 105 receives and decodes the authentication 

response, validates the digital signature, generates an authorization request message and sends 
it to an acquirer. Merchant Plug-in 105 receives the authorization response message from the 
acquirer and forwards it to Virtual Cardholder System 104. 
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What is claimed: - 

1. A method for authenticating a transaction initiated from a non-internet 
enabled device; comprising: 

• A Cardholder submitting a purchase request message from a non-internet 
enabled device over a network using an appropriate interactive technology; 

• An Operator Server converting the purchase request message from the protocol 
used by the interactive technology to a standard Internet format; 

• A Virtual Cardholder System extracting a unique identifier from the purchase 
request message and matching it with a corresponding value stored in a remote 
database; 

• A Virtual Cardholder System extracting cardholder data (PAN, expiry date, 
CW) stored in the remote database; 

• A Virtual Cardholder System retrieving the Merchant Plug-in URL from the 
purchase request message; 

• A Virtual Cardholder System simulating an Internet browser and starting an 
http/s session with the Merchant Plug-in; 

• A Merchant Plug-in formatting a message and querying a Card Association 
Directory Service on the enrollment status of the PAN; 

• A Card Association Directory Service querying an Issuer Access Control 
Server to determine if PAN is enrolled; 

• An Issuer Access Control Server formatting a message and responding to the 
Card Association Directory Service with PAN participation information; 
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A Card Association Directory Service forwarding the Issuer Access Control 
Server response to the Merchant Plug-in; 

A Merchant Plug-in sending a message to the Issuer Access Control Server via 
the Virtual Cardholder System; 

A Virtual Cardholder System simulating an Internet browser and posting an 
authentication request message to the Issuer Access Control Server; 
An Issuer Access Control Server responding by sending an HTML purchase 
authentication page to the Virtual Cardholder System; 

A Virtual Cardholder System receiving the HTML authentication request page 
from the Issuer Access Control Server; 

A Virtual Cardholder System extracting displayable information and storing 
the HTML authentication request page; 

An Operator Server requesting the cardholder enter his credentials using an 
appropriate interactive technology; 

An Operator Server converting the cardholder credentials from the protocol 
used by the appropriate interactive technology to a standard Internet format; 
A Virtual Cardholder System parsing the stored HTML authentication request 
page and recognizing the cardholder credential field(s); 

A Virtual Cardholder System acting on behalf of the cardholder and inserting 
the credentials into the HTML authentication request page; 
A Virtual .Cardholder System simulating an Internet browser and posting the 
HTML authentication request page to an Issuer Access Control Server; 
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An Issuer Access Control Server authenticating the cardholder credentials 
against an account holder database; 

An Issuer Access Control Server responding to the Virtual Cardholder System 
with an authentication response message; 

A Virtual Cardholder System receiving the authentication response message 
from the Issuer Access Control Server; 

A Virtual cardholder System simulating an Internet browser and forwarding 
the authentication response message to the Merchant Plug-in; 
A Merchant Plug-in decoding the authentication response and validating the 
digital signature; 

A Merchant Plug-in generating an authorization request message and sending 
it to a Gateway, Processor or Acquirer; 

A Gateway, Processor or Acquirer proceeding with the conventional purchase 
authorization process; 

A Merchant Plug-in receives an authorization response message from the 
acquirer and forwards it to the Virtual Cardholder System 
A Virtual Cardholder System forwarding the authorization response message 
to the Operator Server; 

An Operator Server converting authorization response message from a 
standard Internet format to protocol used by the appropriate interactive 
technology; 
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2. The method of claim 1, further comprising using a plurality of non-internet 
enabled devices to capture a purchase request, wherein a mobile phone is just one of the 
plurality of non-internet enabled devices. 

3 . The method of claim 2, wherein the plurality of non-internet enabled devices 
includes a landline telephone. 

4. The method of claim 2, wherein the plurality of non-internet enabled devices 
includes a Personal Digital Assistant (PDA). 

5. The method of claim 2, wherein the plurality of non-internet enabled devices 
includes a laptop computer. 

6. The method of claim 1, further comprising, using a plurality of interactive 
technologies to submit a purchase request, wherein an Interactive Voice Response 
(IVR) is just one of the plurality of interactive technologies. 

7. The method of claim 6, wherein the plurality of interactive technologies 
includes Interactive Voice Response (IVR). 

8. The method of claim 6, wherein the plurality of interactive technologies 
includes Short message Services (SMS). 

9. The method of claim 6, wherein the plurality of interactive technologies 
includes SIM Toolkit (STK). 

10. The method of claim 6, wherein the plurality of interactive technologies 
includes Unstructured Supplementary Services Data (USSD). 
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11. The method of claim 6, wherein the plurality of interactive technologies 
includes Wireless Application Protocol (WAP). 

12. The method of claim 1, further comprising, using a plurality of wired and/or 
wireless network transport mechanisms to route a purchase request, wherein GSM is 
just one of the plurality of network transport mechanisms. 

13. The method of claim 12, wherein the plurality of network transport 
mechanisms includes CDMA. 

14. The method of claim 12, wherein the plurality of network transport 
mechanisms includes TDMA. 

15. The method of claim 12, wherein the plurality of network transport 
mechanisms includes GPRS. 

16. The method of claim 12, wherein the plurality of network transport 
mechanisms includes 3G. 

17. The method of claim 12, wherein the plurality of network transport 
mechanisms includes Bluetooth. 

18. The method of claim 12, wherein the plurality of network transport 
mechanisms includes Infrared. 

19. The method of claim 12, wherein the plurality of network transport 
mechanisms includes RFED. 

20. The method of claim 12, wherein the plurality of network transport 
mechanisms includes Internet. 
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21. The method of claim 1, further comprising, inserting a plurality of 
cardholder credentials into an HTML authentication request page and/or message; 
wherein a PIN is just one of the plurality of credentials. 

22. The method of claim 21, wherein the plurality of credentials includes a 
user Id and/or password. 

23. The method of claim 21, wherein the plurality of credentials includes a 
biometric. 

24. The method of claim 21, wherein the plurality of credentials includes a 
pseudo random number. 

25. The method of claim 21, wherein the plurality of credentials includes a 
cryptogram. 

26. The method of claim 21, wherein the plurality of credentials includes a 
digital signature. 

27. The method of claims 21 to 26, further comprising receiving 
information related to a plurality of credentials, verifying the plurality of credentials 
based on the received information, and authenticating the transaction based on a 
successful verification of the plurality of credentials. 

28. A method of authenticating a transaction initiated from a non-internet 
enabled device substantially as herein described and illustrated with reference to the 
attached drawings 
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29. A system for authenticating a transaction initiated from a non-internet 
enabled device substantially as herein described and illustrated with reference to the 
attached drawings 

30. A method of enabling Issuers, Acquirers and Merchants to use the 3-D 
Secure™ online cardholder authentication protocol to authenticate cardholders 
transacting with non-internet enabled devices. The invention operates as a proxy on 
behalf of the cardholder and simulates a core 3-D Secure™ session to the Merchant 
Plug-in (MPI) and Issuer Access Control Server (ACS). That is, it converts voice 
or data based messages received from a non-internet enabled device into a set of 
messages that are consistent with the requirements of the 3-D Secure™ protocol. 
Further, the invention can be implemented without Issuers, Acquirers or Merchants 
having to upgrade or enhance infrastructure. 

31. A system for enabling Issuers, Acquirers and Merchants to use the 3-D 
Secure™ online cardholder authentication protocol to authenticate cardholders 
transacting with non-internet enabled devices. The invention operates as a proxy on 
behalf of the cardholder and simulates a core 3-D Secure™ session to the Merchant 
Plug-in (MPI) and Issuer Access Control Server (ACS). That is, it converts voice 
or data based messages received from a non-internet enabled device into a set of 
messages that are consistent with the requirements of the 3-D Secure™ protocol. 
Further, the invention can be implemented without Issuers, Acquirers or Merchants 
having to upgrade or enhance infrastructure. A 
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ABSTRACT 

[031] A method of enabling Issuers, Acquirers and Merchants to use the 3-D Secure™ 
online cardholder authentication protocol to authenticate cardholders transacting with non- 
internet enabled devices. The invention operates as a proxy on behalf of the cardholder and 
simulates a core 3-D Secure™ session to the Merchant Plug-in (MPI) and Issuer Access 
Control Server (ACS). That is, it converts voice or data based messages received from a non- 
internet enabled device into a set of messages that are consistent with the requirements of the 
3-D Secure™ protocol. Further, the invention can be implemented without Issuers, Acquirers 
or Merchants having to upgrade or enhance infrastructure. 
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Figure 2 
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